Going Dyn. Lights, Cameras…inaction
You might have read about the botnet that was used to take down Brian Krebs’ security blog site after he named and shamed the two Israeli youths behind a ‘DDOS for hire’ site a few weeks ago, we covered it here.
The name of this botnet is Mirai, and after the successful attack on Krebs’ site (which generated over 600Gbs of traffic) the source code for it was published for all to see and, err, copy and use. Krebs blogged about it himself here.
To the horror of many security/coding punters, it transpires that the code for the botnet isn’t very nice, however it does include a dictionary for all the default username and password combinations for most Internet Of Things tings and has been proven devastatingly effective once more.
If you were reading the papers or watching the news last week, you couldn’t miss the fact that major parts of the Internet were taken dyn, sorry down (we’re not that posh round here), using the self same botnet and its legion of home security cameras, lightbulbs, kettles and whatever the next silly connected device might be.
A massive DDOS attack was launched against Dyn (dyn.com, strapline ‘Manage The internet like you own it’!!), which is amongst other things, a provider of DNS services to many top of the tree Internet Services like Paypal, Spotify and Amazon to name but a few. Access to all of these services was restricted to many users in America during the DDOS attack, which is discussed by Dyn themselves, here.
The startling thing about this attack was that it used a mere 100,000 Internet of Things tings. Researchers currently estimate that there are 6 Beelion ting tings out there, most with default admin usernames and passwords.
Anyone who is anyone thinks this latest attack was the work of bedroom ‘script kiddies’ and since the source code has been published and they are fishing for vulnerable devices in a very big and growing pool, what can be done?
We are obviously in a situation where the horse has bolted. Recommending that home users change the default passwords on their shiny new tings sounds good on paper but will anyone listen? Probably not.
We would like to see ISPs step up and review devices connected to their networks, either actively (using code like Mirai – they wouldn’t even have to write it) or passively by identifying specific DDOS traffic, and issuing customers with written warnings to change the passwords and ultimately cut them off. This is even less likely to happen.
Some Chinese manufacturers have started recalling webcams after this latest attack, again, who will send them back? How many people actually registered the products?
This is a very tough question to be answered. Going forwards we think that these devices should not accept connections from devices outside of the local network until the default username and password have been changed to a suitably strong configuration. That might be more likely to happen.
In the meantime please change the username and passwords on your home kit. In the words of the band ‘The Ting Tings’, That’s Not My Username.
If you would like to discuss The Ting Tings or The Internet of Things, please contact us on: firstname.lastname@example.org or call us on 020 7517 3900.